How to Make sure the service principal has the necessary permissions to deploy to the App Service

Borton, Brian 0 Reputation points
2023-05-30T14:55:37.1066667+00:00
Hello,
We have an issue with deploying our application to our web server.
We use a pipeline.
One of the tasks is named Azure App Service Deployment
It is this task that is failing
This it the error generated:
Got service connection details for Azure App Service:[our-web-server] 
##[error]Error: Failed to get resource ID for resource type 'Microsoft.Web/Sites' and resource name [our-web-server]. Error: Could not fetch access token for Azure. Verify if the Service Principal used is valid and not expired. For more information refer https://aka.ms/azureappservicedeploytsg 
(node:3604) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'getApplicationURL' of undefined
When I look inside the pipeline to that task I see:
Azure subscription: [our] app service (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)
App Service type: Web App on Windows
App Service name: WISDM-QA
Here is the YAML
steps:
- task: AzureRmWebAppDeployment@4
  displayName: 'Azure App Service Deploy'
  inputs:
    azureSubscription: '[our] app service (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)'
    WebAppName: [[our-web-server]'
    packageForLinux: '$(build.artifactstagingdirectory)/**/*.zip'
    enableCustomDeployment: true
    RemoveAdditionalFilesFlag: true
When I go to: “Manage” (a link by the Azure subscription) it takes me to:
https://dev.azure.com/[us]/[our-application]/_settings/adminservices?resourceId=xxxxxxxxxxxxxxxxxxxxxxxxxxx
When I click on “Manage Service Principal”  I go to:
https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Overview/appId/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Display name: [us-our-application]-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Application (client) ID: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
And indeed, the secret had expired. 5/27/2023.
I created a new Client Secret 
BUT
The pipeline still does not deploy to [our-web-server]
When I go to portal.azure.com and check the subscription I see:
truarchs subscription xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In [us] overview page
I go to Access control (IAM)
https://portal.azure.com/#@[us].com/resource/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/users
And look at Role assignments
This is where I have some confusion.
There are two [us]- [us-our-application]-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx be found.
The only thing distinguishing them is their Application (client) 
ALSO
In the Portal, reviewing the Azure Active Directory > App registrations there are two.
[us-our-application]-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
one with Application (client) ID: 
yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
and another:
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
Both are listed as “Current” in the Certificates & secretes column.
BUT
Still the pipeline fails at Azure App Service Deployment task
ChatGPT offered a set of things to check

1.	Verify the service principal:
•	Go to the Azure portal and navigate to "Azure Active Directory > App registrations."
•	Make sure that the service principal with the Application (client) ID: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy is the one intended for the [our-web-server] deployment.
•	Confirm that this service principal has the necessary permissions and is not expired.
2.	Update the pipeline:
•	Double-check your pipeline YAML file and ensure that the service principal information is correctly specified.
•	Verify that the azureSubscription value '[us] app service (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)' corresponds to the correct subscription and service principal.
3.	Validate access to the resource:
•	In the Azure portal, navigate to "Azure App Service > [our-web-server]."
•	Confirm that the App Service exists and is accessible with the provided service principal.
•	Make sure the service principal has the necessary permissions to deploy to the App Service.
4.	Refresh the access token:
•	If the service principal is valid and has the required permissions, try refreshing the access token by regenerating the secret key.
•	Generate a new secret key and update the service principal configuration in the pipeline with the new secret.
5.	Debug pipeline logs:
•	Run the pipeline with additional debug logging enabled to gather more information about the deployment process.
•	Examine the pipeline logs for any specific error messages or warnings that could provide further insights into the failure.


I did all but #3, bullet 3 - Make sure the service principal has the necessary permissions to deploy to the App Service. Is the one I am unsure on how to do.



Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,381 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Grmacjon-MSFT 17,366 Reputation points
    2023-05-31T00:13:12.9833333+00:00

    Hi @Borton, Brian

    Thanks for the question. To make sure that the service principal has the necessary permissions to deploy to the App Service, you need to grant it the "Contributor" role on the App Service or the resource group that contains the App Service.

    Here's how you can do it:

    1. Go to the Azure portal and navigate to the App Service or the resource group that contains the App Service.
    2. Click on "Access control (IAM)" in the left-hand menu.
    3. Click on "Add" and select "Add role assignment".
    4. In the "Add role assignment" pane, select "Contributor" as the role and search for the service principal you want to grant the role to.
    5. Click on "Save" to grant the role to the service principal.

    Once you have granted the "Contributor" role to the service principal, it will have the necessary permissions to deploy to the App Service.

    Here are some sources that provide more information on how to grant roles to service principals:

    I hope this helps.

    Best,

    Grace